406/404 error on creating new list!

[rbuelund]

I know this has been adressed in other threads too - but i cannot find any solution other than to disable mod_security, which is not an option if you do not want to be hacked!

The problem occures when I try to create a new list. I get in to the list creation view but the tiny mce editor is not shown and when I go back I get an 406 error.

My host tells me this:

The problem is data in some cookies which looks like an SQL injection.
There are several pages that generate the block but it is almost always the same error. Is is primarely pages in tiny mce that generates the block. Like:
tiny_mce/plugins/paste/editor_plugin.js
tiny_mce/plugins/insertdatetime/editor_plugin.js
tiny_mce/plugins/searchreplace/editor_plugin.js
tiny_mce/plugins/emotions/editor_plugin.js
tiny_mce/plugins/table/editor_plugin.js
tiny_mce/plugins/media/editor_plugin.js
tiny_mce/plugins/directionality/editor_plugin.js
tiny_mce/plugins/advhr/editor_plugin.js
tiny_mce/plugins/fullscreen/editor_plugin.js
tiny_mce/plugins/layer/editor_plugin.js
tiny_mce/plugins/style/editor_plugin.js
tiny_mce/plugins/xhtmlxtras/editor_plugin.js
tiny_mce/plugins/visualchars/editor_plugin.js
tiny_mce/plugins/nonbreaking/editor_plugin.js
tiny_mce/plugins/visualblocks/editor_plugin.js
tiny_mce/plugins/wordcount/editor_plugin.js
tiny_mce/plugins/template/editor_plugin.js
tiny_mce/plugins/advimage/editor_plugin.js
tiny_mce/plugins/advlink/editor_plugin.js
tiny_mce/plugins/advlist/editor_plugin.js
tiny_mce/plugins/autosave/editor_plugin.js
tiny_mce/plugins/contextmenu/editor_plugin.js
tiny_mce/plugins/inlinepopups/editor_plugin.js

The following line was logged by ModSec when the error occures:
Access denied with code 406 (phase 2). Pattern match "\\b(\\d+) ?= ?\\1\\b|[\'\"](\\w+)[\'\"] ?= ?[\'\"]\\2\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "1234123413"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]



Is it not possible to get around this, code wise instead of server wise???

 

[troester]

Tiny_mce is not fabrik.
Can you edit e.g. Joomla articles?

A workaround:select "no editor" as default editor for your backend user.

 

[cheesegrits]

Nothing we can do about that.

Your host should be able to whitelist that rule on a referring page basis, i.e. if it's coming from the backend of Joomla, ignore that rule.

That should be safe, as if someone is already logged in as an admin in your J! admin and saving pages (which they would have to be, in order to trigger that rule) you have bigger problems than a mode security rule.

-- hugh

 

[rbuelund]

This is only a problem in connection with Fabrik ! Tiny MCE works erverywhere else on the sites - and i mean 5 different sites - It is only in Fabrik the problem Occoures - so it must be the combination ?? But my host told me that Tiny MCE in general is very unsecure and it is not only logged in users who can exploit this with an SQL injection if you disable that rule - so not a very good solution.

 

[cheesegrits]

It's possible to selectively disable modsec rules depending on what URL they are firing on. So if you whitelist that rule for URL's with /administrator/index.php?option=com_fabrik, then someone would have to be logged in to the backend to be whitelisted.

-- hugh

 

[rbuelund]

Hi

The above suggestion did not do it! My host now gets these two messages in the log, when I try to create a list.

1:
Handler: /media/editors/tinymce/jscripts/tiny_mce/plugins/insertdatetime/editor_plugin.js HTTP/1.1
Host: xxx.xxxx.dk
mod_security_message: Access denied with code 406 (phase 2). Pattern match "\\b(\\d+) ?= ?\\1\\b|[\'\"](\\w+)[\'\"] ?= ?[\'\"]\\2\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "1234123413"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
mod_security_action: 406

2:
Get: /administrator/components/com_fabrik/views/list/tmpl/adminlist-min.js HTTP/1.1
Host: xxx.xxxx.dk
mod_security_message: Access denied with code 406 (phase 2). Pattern match "\\b(\\d+) ?= ?\\1\\b|[\'\"](\\w+)[\'\"] ?= ?[\'\"]\\2\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "1234123413"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
mod_security_action: 406

 

[rob]

for 1 can you not simply disable the insertdatetime tinymce plugin?

For 2 can you turn on fabrik debugging and see what line number is loaded in adminlist.js
also ask your host to examine the file and see why their reg-ex thinks its an sql injection.

personally I feel that if host use mod_security they should be able to diagnose why their installation picks up false positives and suggest ways round it rather than leaving you (or us) to figure it out.

For 1 & 2 - can you host not disable mod_sec on those files, they dont contacin sql injections and their software is providing false positives

 

[rob]

also if you host could expand on 'some cookies' and detail exactly what cookies are suspect that might help. I examinded cookies in firefox and don't see anything odd with what the list is doing.